You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by James Reeves <ja...@hybridfour.com> on 2006/05/05 11:23:13 UTC
Possible c14n bugs
Hi,
I think I've discovered two bugs in the c14n methods of XML Security.
Your site recommends bringing up bugs on the mailing list first (a
sensible precaution!), so I'll detail my findings here and see if anyone
can confirm if these bug is valid. I'm using the Java 1.3 version of XML
Security.
The first potential problem is that XML security doesn't appear to order
namespace attributes in the same manner as the W3C spec. The W3C c14n
spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags
In the W3C example, it transforms this tag:
<e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b="http://www.ietf.org"
xmlns:a="http://www.w3.org"
xmlns="http://example.org"/>
Into this (ignore the word-wrapping - it's all one line):
<e5 xmlns="http://example.org" xmlns:a="http://www.w3.org"
xmlns:b="http://www.ietf.org" attr="I'm" attr2="all" b:attr="sorted"
a:attr="out"></e5>
I tried the same test using the XMLUtils.outputDOMc14nWithComments
method, and it returned this result (again, ignore the word-wrapping):
<e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted"
xmlns="http://example.org" xmlns:a="http:
//www.w3.org" xmlns:b="http://www.ietf.org"></e5>
The second problem is that in the spec, empty xmlns attributes are
removed. Thus, this original tag:
<e6 xmlns="" xmlns:a="http://www.w3.org">
Becomes this, when c14n'd:
<e6 xmlns:a="http://www.w3.org">
The XMLUtils.outputDOMc14nWithComments method does not remove the
redundant xmlns attribute:
<e6 xmlns="" xmlns:a="http://www.w3.org">
The code I used to obtain all of this output is attached.
--
James Reeves
http://www.hybridfour.com
Re: Possible c14n bugs
Posted by Raul Benito <ra...@apache.org>.
Don't worry, Anyway thanks for caring....
Regards,
On 5/5/06, James Reeves <ja...@hybridfour.com> wrote:
> Raul Benito wrote:
> > can you test again with this change?
>
> Aha! You're correct; setting namespaceAware to true solves the problem
> completely.
>
> Apologies for the false alarm. In hindsight it seems all too obvious.
>
> --
> James Reeves
> http://www.hybridfour.com
>
>
--
http://r-bg.com
Re: Possible c14n bugs
Posted by James Reeves <ja...@hybridfour.com>.
Raul Benito wrote:
> can you test again with this change?
Aha! You're correct; setting namespaceAware to true solves the problem
completely.
Apologies for the false alarm. In hindsight it seems all too obvious.
--
James Reeves
http://www.hybridfour.com
Re: Possible c14n bugs
Posted by Raul Benito <ra...@apache.org>.
It looks really weird to me.
Perhaps the documentBuilder is not namespace aware...
See javadoc for DocumentBuilder...
setNamespaceAware
public void setNamespaceAware(boolean awareness)
Specifies that the parser produced by this code will provide
support for XML namespaces. By default the value of this is set to
false
Parameters:
awareness - true if the parser produced will provide support
for XML namespaces; false otherwise.
can you test again with this change?
Regards,
On 5/5/06, James Reeves <ja...@hybridfour.com> wrote:
> Hi,
>
> I think I've discovered two bugs in the c14n methods of XML Security.
> Your site recommends bringing up bugs on the mailing list first (a
> sensible precaution!), so I'll detail my findings here and see if anyone
> can confirm if these bug is valid. I'm using the Java 1.3 version of XML
> Security.
>
> The first potential problem is that XML security doesn't appear to order
> namespace attributes in the same manner as the W3C spec. The W3C c14n
> spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags
>
> In the W3C example, it transforms this tag:
>
> <e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
> xmlns:b="http://www.ietf.org"
> xmlns:a="http://www.w3.org"
> xmlns="http://example.org"/>
>
> Into this (ignore the word-wrapping - it's all one line):
>
> <e5 xmlns="http://example.org" xmlns:a="http://www.w3.org"
> xmlns:b="http://www.ietf.org" attr="I'm" attr2="all" b:attr="sorted"
> a:attr="out"></e5>
>
> I tried the same test using the XMLUtils.outputDOMc14nWithComments
> method, and it returned this result (again, ignore the word-wrapping):
>
> <e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted"
> xmlns="http://example.org" xmlns:a="http:
> //www.w3.org" xmlns:b="http://www.ietf.org"></e5>
>
> The second problem is that in the spec, empty xmlns attributes are
> removed. Thus, this original tag:
>
> <e6 xmlns="" xmlns:a="http://www.w3.org">
>
> Becomes this, when c14n'd:
>
> <e6 xmlns:a="http://www.w3.org">
>
> The XMLUtils.outputDOMc14nWithComments method does not remove the
> redundant xmlns attribute:
>
> <e6 xmlns="" xmlns:a="http://www.w3.org">
>
> The code I used to obtain all of this output is attached.
>
> --
> James Reeves
> http://www.hybridfour.com
>
>
>
> import java.io.StringReader;
>
> import javax.xml.parsers.DocumentBuilder;
> import javax.xml.parsers.DocumentBuilderFactory;
>
> import org.apache.xml.security.utils.XMLUtils;
> import org.w3c.dom.Document;
> import org.xml.sax.InputSource;
>
> public class XmlC14nTest
> {
> public static void main(String[] args) throws Exception
> {
> org.apache.xml.security.Init.init();
>
> String xml = "<!DOCTYPE doc [<!ATTLIST e9 attr CDATA \"default\">]>\n" +
> "<doc>\n" +
> " <e1 />\n" +
> " <e2 ></e2>\n" +
> " <e3 name = \"elem3\" id=\"elem3\" />\n" +
> " <e4 name=\"elem4\" id=\"elem4\" ></e4>\n" +
> " <e5 a:attr=\"out\" b:attr=\"sorted\" attr2=\"all\" attr=\"I'm\"\n" +
> " xmlns:b=\"http://www.ietf.org\"\n" +
> " xmlns:a=\"http://www.w3.org\"\n" +
> " xmlns=\"http://example.org\"/>\n" +
> " <e6 xmlns=\"\" xmlns:a=\"http://www.w3.org\">\n" +
> " <e7 xmlns=\"http://www.ietf.org\">\n" +
> " <e8 xmlns=\"\" xmlns:a=\"http://www.w3.org\">\n" +
> " <e9 xmlns=\"\" xmlns:a=\"http://www.ietf.org\"/>\n" +
> " </e8>\n" +
> " </e7>\n" +
> " </e6>\n" +
> "</doc>\n";
>
> DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
>
> Document document = builder.parse(new InputSource(new StringReader(xml)));
>
> XMLUtils.outputDOMc14nWithComments(document, System.out);
> }
> }
>
>
>
--
http://r-bg.com